Description

Stored XSS in deleting departments page due to unsanitized input in many places.

Proof of Concept

1. Create a new department with name <img src=a onerror=alert(1) />
2.  After creating the above department, Click on delete icon next to it and see the pop up.
3. Create a new ticket with title <img src=a onerror=alert(document.cookie)>
4. View the ticket and see the popup
5. Go to the ticket and create a new reply with content <img src=a onerror=alert(document.cookie)>, refresh the page and see the popup.

Impact

Stored XSS leads to html injection, phishing, cookie steal,..